About | Buy Stuff | News | Products | Rants | Search | Security
Home » Gallery

Peeper

Peeper reads executable headers, searches for telltale signs of bloat, and reads version fixed file info. The integrated QuikView utility provides header information as well, but uses user-friendly names which may only increase the amount of work needed by a developer, who must then translate these supposedly friendly names back into something more immediately recognizable.

Peeper does not read COM headers, but does read the headers of all 'executable', i.e. relocatable, images. Which is just about everything these days.

Peeper reads MZ headers, found in all Win32 images; LE headers, found in OS/2 images and VxD drivers; NE headers, found in Win16 images; and PE headers, found in Win32 images.

Peeper scans images for 'telltale' strings, signs of one or another form of impending bloat.

Peeper also reads 'fixed file info' which may give you a better idea what's been going on with an image than the 'string file info' version info normally displayed.

MZ

This is the DOS header, named after the programmer who put his initials into every relocatable ever written for the PC: Mark Zbikowski, later on a developer on the NT team.

  • Magic - the magic number or string which identifies the file as a DOS executable. This magic is always Mark's initials, 'MZ'.
  • Pages - the number of pages which the DOS part of the image uses. The number in parentheses is the number of bytes on the final page.
  • Relocations - the number of relocations in the DOS part of the image.
  • Header paragraphs - the size of the header in paragraphs - a paragraph is usually 16 bytes.
  • Minimum extra paragraphs, Maximum extra paragraphs - how the executable will use memory. Often these will be set to 0 and FFFFh, the maximum 16-bit value.
  • Initial SS, Initial SP - the initial stack pointer (Stack Segment, Stack Pointer). Remember, we're talking about 16-bit segmented memory here!
  • Checksum. An internal checksum used by the stub. Often set to B8h.
  • Initial IP, Initial CS. The initial relative instruction pointer value. This is calculated from the beginning of the file, as an offset, in other words (Instruction Pointer, Code Segment).
  • Relocation table - the size in bytes of the relocation table.
  • Overlay # - used by executables which swap out images as need be. When used as a stub for a Win32 executable, the value for the DOS part of the image here will be 0, as no overlays are in use.
  • OEM ID, OEM info - the identifier for OEM-specific information and the information itself.
  • Next header - the offset in bytes to the next header in the file (LE, NE, or PE).

NE

The 'New Executable' header, used by Win16. Win16 executables were not designed to map quickly into virtual memory, but to make their segments readily accessible as needed.

  • Magic - this is always 'NE' ('New Executable').
  • Version, Revision - the version and revision numbers.
  • Entry table offset, Entry table size - the offset to and the size of the entry table.
  • Checksum - often 0.
  • Flags - used to identify the expected operating system. Often 30Ah (Windows 3.1x).
  • Automatic data segment # - the automatic data segment number.
  • Initial heap - the initial size in bytes of the dynamic allocation heap.
  • Initial stack - the initial size in bytes of the stack.
  • Initial CS:IP - the initial code segment number and instruction pointer.
  • Initial SS:SP - the initial stack segment number and stack pointer.
  • Segments - the number of file segments in the image.
  • Module reference table entries - the number of entries in the module reference table
  • Non-resident name table size - the size of the non-resident name table.
  • Segment table offset - the offset of the segment table.
  • Resource table offset - the offset of the resource table.
  • Module reference table offset - the offset of the module reference table.
  • Imported names table offset - the offset of the imported names table.
  • Non-resident names table offset - the offset of the non-resident names table.
  • Moveable entries - the number of moveable entries.
  • Segment alignment shift - the segment alignment shift count.
  • Resource segments - the number of resource segments in the image.
  • Operating system - the expected target operating system (2 is default, 'Windows').
  • Additional flags - additional executable flags.
  • Return thunks offset - where to return 'thunks', i.e. code used in bridging the '16-bit/32-bit barrier'.
  • Segment ref bytes offset - the offset to segment ref. bytes.
  • Minimum code swap area - the minimum size of the code swap area.
  • Expected Windows version - the expected target Windows version number (hexadecimal). Normally 30Ah ('Windows 3.1x').

LE

The header used by OS/2 and 16-bit VxDs. The contents of the LE header are either eminently clear or totally unfathomable. As files using this header are soon obsolete, you might skip this section and go immediately to the next.

  • Magic - always 'LE'.
  • Byte order - the byte order used. Default is 0.
  • Word order - the word order used. Default is 0.
  • EXE format level - the EXE format level. For now, always 0.
  • CPU type - the type of CPU. Guess what '2' means?
  • OS type - the type of operating system. Guess what '4' stands for...
  • Module version - the module version.
  • Module flags - the module flags.
  • Module pages - the module number pages.
  • IP object # - the object number for the instruction pointer.
  • Extended IP - the extended instruction pointer.
  • SP object # - the object number for the stack pointer.
  • Extended SP - the extended stack pointer.
  • Page size - the image page size.
  • Last page size - the size of the last page in the image.
  • Fixup section size - the size of the fixup section.
  • Fixup section checksum - the fixup section checksum (often 0).
  • Loader section size - the size of the loader section.
  • Loader section checksum - the loader section checksum (often 0).
  • Object table offset - the offset of the object table.
  • Module objects - the number of objects in the module.
  • Object page map offset - the offset of the object page map.
  • Object iterated data map offset - the offset of the object iterated data map.
  • Resource table offset, Resource entries - the offset of and number of entries in the resource table.
  • Resident name table offset - the offset of the resident name table.
  • Entry table offset - the offset of the entry table.
  • Module directive table offset, Module directives - the offset of and number of entries in the module directive table.
  • Fixup page table offset - the offset of the fixup page table.
  • Fixup record table offset - the offset of the fixup record table.
  • Import module name table offset, Import module name table entries - the offset of and number of entries in the import module name table.
  • Import procedure name table offset - the offset of the import procedure name table.
  • Per-page checksum table offset - the offset of the per-page checksum table.
  • Enumerated data pages offset - the offset of the enumerated data pages.
  • Preload pages - the number of preload pages.
  • Non-resident names table offset, Non-resident names table size, Non-resident names table checksum - the offset, size and checksum of the non-resident names table.
  • Automatic data object # - the object number for automatic data.
  • Debug info offset, Debug info size - the offset and size of the image debugging information.
  • Preload section instance pages - the number of instance pages in the preload section.
  • Demand load section instance pages - the number of instance pages in the demand load section.
  • Heap size - the heap size.
  • Resource offset, Resource size - the resource offset and size.
  • Device ID - the identifier of the device for which the driver is intended.
  • DDK version - the version number of the device driver development kit used to build the image.

PE

The 'portable executable' header. All Win32 images use it, - regardless of the target platform. As with the PE image format itself, it borrows a lot from the world of UNIX - and actually improves on it. PE images are designed to map directly into virtual memory, so normally their representation in virtual memory is the disk image itself, with as few as 16 bytes needing to be patched before it's ready to run - so when Microsoft claims PE executables load almost instantaneously, for once they're not exaggerating.

  • Signature - this is always a DWORD value: 00004550h ('PE\0\0').
  • Machine - denotes the machine the executable will run on:
    • 14Ch - Intel
    • 160h - MIPS big-endian
    • 162h - MIPS little-endian
    • 184h - Alpha
    • 1F0h - PowerPC
  • Sections - the number of sections in the image. 'Sections' replaces 'segments' with Win32 executables.
  • Stamp - the number of seconds since January 1, 1970 UTC when the image was built.
  • Symbol pointer - the pointer to the symbol table.
  • Symbols - the number of symbols.
  • Optional header size - the size of the PE optional header. The optional header is not so 'optional' actually, and is normally included.
  • Characteristics - characteristics of the image. These can include:
    • Reloc info stripped - no more relocation info (this is normally good).
    • Executable - i.e. the image can run, i.e. it has no unresolved external references.
    • Line numbers stripped - source code line numbers have been removed (other debug info may remain).
    • Local symbols stripped - names of symbolic addresses have been removed (other debug info may remain).
    • Aggressive working set - most RIX system tray apps have this characteristic. The operating system will hold the application's use of RAM down to an absolute minimum.
    • Low reversed word - machine words are stored in reverse order.
    • 32-bit word machine - the target machine regards a DWORD as a WORD.
    • Debug info stripped - debugging information removed (other debug info may remain).
    • Removable from swap - the executable can run completely from virtual memory (useful for uninstall programs which remove themselves).
    • Net from swap - the image can be run from a network and in virtual memory alone.
    • System file - a system file. This characteristic is not used often.
    • DLL - the image is a DLL.
    • UP only - the image should only be run on a UP machine.
    • High reversed word - machine words are stored in reverse order.
  • Magic - 10Bh.
  • Linker version - the version number of the linker used to build the image.
  • Code size - the size of the code in the image.
  • Initialized data - the size of initialized data.
  • Uninitialized data - the size of uninitialized data (with 'good' executables this should be 0).
  • Entry point - the offset of the image entry point (where the operating system transfers control).
  • Code base - the offset of the start of the code section.
  • Data base - the offset of the start of the data section.
  • Image base - the virtual address where the image should be loaded (applications are normally loaded at 4MB - this used to be 1MB, but Windows 95 couldn't handle it).
  • Section alignment - the size of the sections of the image as they should be loaded into memory (normally equal to the granularity of virtual memory, i.e. 4KB on all platforms except the Alpha, where it is 8KB instead).
  • File alignment - the size of the sections in the disk image itself (this is variable, and can often be 512 bytes; optimizing this value can reduce the actual space needed to store the image on disk).
  • OS version - the expected version number of the operating system.
  • Image version - the version number of the image (should be set at link time to the version of the target operating system).
  • Subsystem version - the expected version number of the subsystem the executable will run in.
  • Win32 version value - not used for much yet. Normally 0.
  • Image size - the size of the image when loaded (must of course be a multiple of the virtual memory granularity).
  • Headers size - the cumulative size of the PE header information (1KB not unusual).
  • Checksum - an arbitrary checksum. Used mainly for system files.
  • Subsystem - the subsystem the executable will run in:
    • 0 - Unknown.
    • 1 - Native (runs directly under the XP kernel).
    • 2 - Windows GUI.
    • 3 - Windows character.
    • 5 - OS/2 character.
    • 7 - POSIX character.
  • DLL characteristics - used occasionally by DLLs.
  • Stack reserve - the amount of memory reserved (not allocated) for the program stack.
  • Stack commit - the amount of memory allocated for the program stack.
  • Heap reserve - the amount of heap reserved (not allocated) for dynamic allocations.
  • Heap commit - the amount of heap initially allocated from the process heap.
  • Loader flags - special flags for the OS loader.
  • Data directories - the PE file and header formats admit of 16 data directories, of which 15 are currently named or in use; Peeper lists the 'virtual addresses' and sizes of all 16:
    • Export - where external executables will find information about the contents of the image.
    • Import - where the image lists its dependencies.
    • Resource - where the image stores its resources, i.e. menus, cursors, dialogs, icons et al.
    • Exception - SEH code.
    • Security - security information.
    • Reloc - relocation information.
    • Debug - debug information; should not be found in release builds.
    • Description - a copyright string.
    • MIPS GP - a global pointer value for MIPS platforms.
    • TLS - thread local storage, i.e. variables that are unique for every thread; CPA uses this section extensively.
    • Load Config - the load config directory. Not always necessary.
    • Bound Import - if the image is bound, this section will have information for hooking up to external code at runtime; if the image is not bound, this section is not used.
    • Import Address - the import address table.
    • Delay Import - delay load import descriptors.
    • COM Runtime - COM runtime descriptor.
    • (Reserved) - listed by Peeper for the sake of completeness.

BV

This function is on loan from Blobview: it estimates the bloat factor of the image by ferreting out telltale strings.

  • Afx - indicates an MFC build.
  • Ctl3d - indicates either a static or a dynamic link with the outdated Ctl3d library. Modern 32-bit applications for Windows should not use this library. The MFC uses this library by default, but any knowledgeable programmer should see this when first generating a program skeleton with App Wizard and remove the calls.
  • Delphi - indicates a Delphi build (doh).
  • MSVBVM - indicates the use of the Visual Basic virtual machine - in other words, the application is a Visual Basic application.
  • MSVCRT20.DLL and MSVCRT40.dll - outdated Microsoft runtime DLLs which have been replaced with the universal MSVCRT.dll. Modern 32-bit applications should link with MSVCRT.dll instead.
  • RegCreateKey - indicates the application will attempt to write to the Registry.
  • TApplication - indicates an OWL (Borland) build.
  • TerminateProcess and TerminateThread - the 'killer' calls. TerminateThread should hopefully never be found. As for TerminateProcess, see below.
  • VB40032.DLL - a somewhat outdated Visual Basic runtime library - in other words, the application is a somewhat outdated Visual Basic application.
  • VBAEN32.olb and VBAR332.dll - both Visual Basic for Applications DLLs.
  • Visual C++ Runtime Library - indicates the static link of MSVCRT.dll - something not recommended. If the count for TerminateProcess is not more than 1 and the string Visual C++ Runtime Library is also found, then the source of the TerminateProcess call is in the statically linked MS runtime. If however the count of TerminateProcess is greater than the count of Visual C++ Runtime Library, then the proprietary code of the application is making the call to TerminateProcess - something that can never be recommended or condoned.
  • WritePrivateProfileString - an indication that the application is using the outdated INI file technology. However if the string Afx is also found, the MFC could be wrapping this call into a Registry storage call (string and DWORD formats only).
  • WriteProfileString - an indication that the application will attempt to write to WIN.INI.

VI

Fixed file version info.

  • Signature - this is always a DWORD value: FEEF04BDh.
  • StructVersion - for now, always 1.00.
  • FileVersionMS, FileVersionLS, ProductVersionMS, ProductVersionLS: the most significant and least significant DWORDs of the file and product versions. Version info file and product versions consist of four 16-bit integers. These fields are not mandatory in the least (RIX apps do not use them) but it's interesting to see at times whether other corporations which do use them can successfully coordinate them with the string file info (compare by hitting Properties on the X-file toolbar where you just dragged the target onto Peeper and clicking to the Version tab). Note again: these fields are not the source of version number info in the Properties sheets - but if used they should render the same number.
  • FileFlagsMask - indicates which bits of the FileFlags field can be valid. Most often set to 3F (i.e. all of the following FileFlags options). Other sparsely documented values are sometimes used.
  • FileFlags - bitwise and often set to 0 (and thereby not used). Can theoretically be any combination of the following:
    • VS_FF_DEBUG - the file contains debugging information or is otherwise compiled with debugging features enabled.
    • VS_FF_INFOINFERRED - dynamically created version info resources - thus some blocks may be empty or incorrect. This flag should not appear in release builds using the VERSIONINFO statement.
    • VS_FF_PATCHED - the file has been modified and is not identical to the original shipping file of the same number.
    • VS_FF_PRERELEASE - the file is not a commercially released product.
    • VS_FF_PRIVATEBUILD - the file is not a standard release. If this field is found then string file info should contain a PrivateBuild entry.
    • VS_FF_SPECIALBUILD - the file was built with standard release procedures but not an official build. If this field is found then string file info should contain a SpecialBuild entry.
  • FileOS - a DWORD which describes the intended target GUI and OS. Some companies use this field correctly, others do not. The following five 'hiword' values:
    • VOS_UNKNOWN - target OS unknown.
    • VOS_DOS - target OS is MS-DOS.
    • VOS_OS216 - target OS is 16-bit OS/2.
    • VOS_OS232- target OS is 32-bit OS/2.
    • VOS_NT- target OS is XP.
    Are often combined with the following five 'loword' values:
    • VOS__BASE - placeholder only.
    • VOS__WINDOWS16 - 16-bit Windows.
    • VOS__PM16 - 16-bit Presentation Manager.
    • VOS__PM32 - 32-bit Presentation Manager.
    • VOS__WINDOWS32 - 32-bit Windows.
    To yield the following rather more complete DWORD values:
    • VOS_DOS_WINDOWS16 - 16-bit Windows running on MS-DOS (i.e. Win16).
    • VOS_DOS_WINDOWS32 - 32-bit Windows running on MS-DOS (i.e. Windows 9x).
    • VOS_OS216_PM16 - 16-bit Presentation Manager running on 16-bit OS/2.
    • VOS_OS232_PM32 - 32-bit Presentation Manager running on 32-bit OS/2.
    • VOS_NT_WINDOWS32 - 32-bit Windows running on XP.
    (Peeper will only mention the first ten if none of the last five apply.)
  • FileType - the type of executable:
    • VFT_UNKNOWN - the file is of an unknown type.
    • VFT_APP - the file is an application.
    • VFT_DLL - the file is a DLL.
    • VFT_DRV - the file is a system driver (found on XP).
    • VFT_FONT - the file is a font (normally with extension FON).
    • VFT_STATIC_LIB - the file is a static link library.
    • VFT_VXD - the file is a virtual (16-bit) device driver.
  • FileSubtype - used if FileType is VFT_DRV:
    • VFT2_UNKNOWN - unknown driver type.
    • VFT2_DRV_COMM - communications driver.
    • VFT2_DRV_DISPLAY - display driver.
    • VFT2_DRV_INPUTMETHOD - input method driver.
    • VFT2_DRV_INSTALLABLE - installable driver.
    • VFT2_DRV_KEYBOARD - keyboard driver.
    • VFT2_DRV_LANGUAGE - language driver.
    • VFT2_DRV_MOUSE - mouse driver.
    • VFT2_DRV_NETWORK - network driver.
    • VFT2_DRV_PRINTER - printer driver.
    • VFT2_DRV_SOUND - sound driver.
    • VFT2_DRV_SYSTEM - system driver.
    Or if FileType is VFT_FONT:
    • VFT2_UNKNOWN - unknown font type.
    • VFT2_FONT_RASTER - raster font.
    • VFT2_FONT_VECTOR - vector font.
    • VFT2_FONT_TRUETYPE - TrueType font.
  • FileDateMS, FileDateLS - normally not used, although available. The most significant and least significant DWORDs of the file's 64-bit XP FILETIME stamp. Zero in both fields yields Jan 1, 1601 00:00:00.000.

File size: 10.5KB.

About | Gallery | News | Order the XPT | Products | Resources | Security | Services | Workshop
Copyright © Radsoft. All rights reserved.